ActiveState Docs

ActivePython 2.5 Documentation

Windows NT Security -- Impersonation

Python's win32 access to help to simplify providing privileged access.

There may be times when you want to give specific access to
someone with NT. One mechanism to do this is with the win32 calls:
LogonUser and ImpersonateLoggedOnUser. LogonUser gives you a handel
which ImpersonateLoggedOnUser can then use to "become" the user. To do
this the thread calling, LogonUser, needs SE_TCB_NAME,
SE_CHANGE_NOTIFY_NAME, and SE_ASSIGNPRIMARYTOKEN_NAME privileges. If
you plan to do this with something like IIS and cgi, be careful, the anonymous
account IIS uses is already impersonated from the system account. You
will need to use the RevertToSelf, api call to first terminate the
impersonation. And, the system account, a local account, ultimately
limits you, regardless of who you log in as (COM/MTS can provide an
alternative security solution).

The api call is very similar in both cases except in python the
handel is returned seperately to the caller. The interesting options
in this case are logonType and logonProvider. To give values for
these, you need to use the constants present in win32con (you can use
the browser in pythonwin-&gttools to list the constants in
win32con). Unless you have unusual server requirements, for logonType,
win32con.LOGON32_LOGON_INTERACTIVE should be fine. With regards to
logonProvider, generally use win32con.LOGON32_PROVIDER_DEFAULT -- it's
for specifiying the type of logon NT 3.5, 4.0, win2000. Generally,
default is fine.

ImpersonateLoggedOnUser is extremely simple and you'll see it's usage in the
examples.